from the the-hidden-war dept

Update: Gizmodo is calling bullshit on these claims. They're likely correct that this attack was not a "threat" to the overall internet, but I also believe that Gizmodo is underplaying the potential problems from open resolvers.

We've known for a while that there are a number of people out there who really dislike Spamhaus, one of the more well known providers of a blacklist of spam IP addresses. For what it's worth, there are times when it feels like Spamhaus may go overboard in declaring an IP or range of IP addresses as spammers. And, to some extent, because of that, it seems like some who use the Spamhaus list rely on it a bit too strongly. That said, Spamhaus is doing important work in helping to stop the internet from being overrun with spam, and that's a good thing. But sometimes those who it pisses off aren't particularly nice people. Last week, Spamhaus added hosting company Cyberbunker to its spamlist. Someone didn't like that very much, and thus began a very big DDoS attack using open DNS recursors. Spamhaus went to Cloudflare, who was able to mitigate the worst of the attack.

But... that just lead to round two, in which whoever was behind the DDoS went much, much bigger attacking a bunch of the providers who provide Cloudflare with its bandwidth. Basically, it was massive firepower directed at some key points on the internet. And it was a pretty big deal. Cloudflare's blog post stays away from getting too expressive about the whole thing, but just the fact that they note the attack came close to "breaking" the internet should get you to wake up.

Tier 1 networks don't buy bandwidth from anyone, so the majority of the weight of the attack ended up being carried by them. While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack. That would make this attack one of the largest ever reported.

The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself. The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps however, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down.

Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.

Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, "We are aware that this is one of the largest DDoS attacks the world had publicly seen." Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for "abusing their influence."

"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," Mr. Kamphuis said. "They worked themselves into that position by pretending to fight spam."

Of course, all of this has exposed clearly a big vulnerability in the setup of the internet, and suggest that slowing down the internet on a large scale is entirely possible. But it's also made security folks that much more aware of how urgent it is to fix the a key vulnerability that made this possible: the fact that there are so many open DNS resolvers out there, that can be used to launch massive DDoS attacks. Because of that, security folks are rushing around to see if they can convince people to close as many of the approximately 21.7 million open resolvers out there:

While lists of open recursors have been passed around on network security lists for the last few years, on Monday the full extent of the problem was, for the first time, made public. The Open Resolver Project made available the full list of the 21.7 million open resolvers online in an effort to shut them down.

We'd debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks.

Basically, over the last week or so, there's been a war going on, concerning parts of the core of the internet, and while it might not have impacted you yet (or, maybe it did), it's likely that the next round will be even bigger. In the meantime, the race is on to shut down open resolvers to try to keep the internet working, and hopefully to cut down on the power of such attacks.

from the what-percentage-of-$135-million-is-that? dept

For about five years now, we've been following the bizarre case of email marketer e360 vs. Spamhaus. As you may know, e360 sued Spamhaus for defamation (and a few other things) for listing e360 as a spammer. You may have heard about e360 winning over $11 million dollars. You may have also heard about it asking for $135 million. And then there was a greatly reduced award of $27,000. Except now, the court has reduced the award down to $3. Yes, three whole dollars. It would appear that a court was not particularly impressed with e360. Let's review the history.

The whole lawsuit was silly, because Spamhaus' spam list is an opinion, not a factual statement. However, being a UK organization, Spamhaus (after initially engaging) decided to simply ignore the US judicial process, which resulted in the court granting a default judgment for over $11 million to e360. e360 then tried to force Spamhaus to shut down on the basis of that ruling, but the effort was rejected.

Around this time, Spamhaus decided to get back involved, asking for the default judgment to be set aside. The appeals court refused to do that, but did send the ruling back to the district court to figure out a way to more accurately determine damages. That resulted in the following, as summarized by Venkat Balasubramani at the link above:

Back at the district court, e360 was left with the task of proving up its damages, but it suffered a slew of discovery foibles. e360's principal failed to appear for his deposition as scheduled and failed to respond to Spamhaus's interrogatory requests. Spamhaus moved to dismiss on the basis of e360's discovery failures, and the trial court gave e360 another opportunity to address the discovery issues. e360 supplemented its previous responses but added a slew of new witnesses. It also increased its damages estimate from $11.7 million to a "whopping $135 million." It also sought to reopen discovery. The trial court said no dice and struck the new witnesses listed by e360 and struck e360's requested damage award to the extent it exceeded the initial $11.7 million request.

"I have never seen such an incompetent presentation of a damages case," Posner said. "It's not only incompetent, it's grotesque. You've got damages jumping around from $11 million to $130 million to $122 million to $33 million. In fact, the damages are probably zero."

That certainly provided a hint of what was to come. The award was reduced from the $27,002, down to a mere $3. Honestly, $3 seems even more mocking than if the court had taken it down to $0. The ruling details e360's incompetence in handling this lawsuit, especially the damages claims, which appear to have been made up entirely by the guy who runs e360 using a formula he himself created. It then rejects even the $27,000, saying that even damages of that amount do not appear to be supported by the evidence, and so concludes that the only reasonable award is a "nominal" award of $1 for each of the three charges, making the grand total $3. The judge even points out that e360's own conduct in the case resulted in "snatch[ing] defeat from the jaws of certain victory."

By failing to comply with its basic discovery obligations, a party can snatch defeat from the jaws of certain victory. After our earlier remand, all e360 needed to do was provide a reasonable estimate of the harm it suffered from Spamhausís conduct. Rather than do so, however, e360 engaged in a pattern of delay that ultimately cost it the testimony of all but one witness with any personal knowledge of its damages. That lone witness lost all credibility when he painted a wildly unrealistic picture of e360ís losses. Having squandered its opportunity to present its case, e360 must content itself with nominal damages on each of its claims, and nothing more. We VACATE the judgment of the district court and REMAND this matter with instructions to enter judgment for the plaintiffs in the amount of three dollars.

from the spam-spam-spam-spam dept

Back in June we wrote about how the years-long lawsuit between "email marketing" (i.e., "spam") company e360 and anti-spam group Spamhaus concluded with a judge reducing an $11 million award down to just $27,000 for e360. If you don't recall, e360 sued Spamhaus for naming it on its top spammers list -- despite an awful lot of evidence that e360 does, in fact, engage in spam. Spamhaus, which is based in the UK, ignored the proceedings, which is why it got hit with the $11 million award. While, e360 can't be happy about the lower award (one has to imagine its legal costs were much greater than that), $27,000 is still a lot of money for an operation like Spamhaus -- especially when the organization was just stating an opinion -- and one that it backed up with plenty of evidence.

So now, Michael Scott points us to the news that Spamhaus has filed a motion to reconsider even the $27,000 award, noting that it believes there are some errors in determining the $27,000 number. The filing notes that such motions are rarely successful, but lays out the reasons why it makes sense in this case. Specifically, the method for calculating the award was not one of the methods that e360 asked for, meaning Spamhaus had no chance to point out problems with the methodology. Spamhaus also makes it clear that if the court does not reconsider the $27,000, it will likely appeal the case back up to an appeals court. I can understand why Spamhaus is doing this, but it could backfire. I would imagine that asking the court to reconsider could potentially lead to a judge reconsidering in the other direction as well...

from the that's-a-bit-different dept

Many years back, an "email marketing" company called e360 Insight got upset that the anti-spam advocacy group Spamhaus included e360 on its list of biggest spammers -- a list that many service providers used for spam filtering. So, it sued claiming defamation. What followed was a bit silly, as Spamhaus (based in the UK) initially responded, but then started ignoring the lawsuit, claiming that a US court meant nothing to the UK-based operation. Because of that, a court awarded a default judgment to e360, and simply took its word on how much "damage" being on the list had caused. The end result? An award of $11 million for simply putting e360 on a list of spammers.

Spamhaus initially ignored the whole thing, again claiming US courts had no jurisdiction over it. However, after e360 sought an injunction to get Spamhaus shut down for failure to pay, Spamhaus got involved. Thankfully, a judge refused to shut down Spamhaus, and while an appeal didn't buy many of Spamhaus' arguments, it did throw out the $11 million award, and send it back to the lower court to recalculate the damages.

So, now, four years after the initial $11 million ruling, the court has reduced the damages award to $27,002. Quite a difference, huh? I would have to guess that e360's legal bills cost a hell of a lot more than $27k. It turns out that there were a bunch of problems for e360, and once it had to actually prove how much damage being on the list had done, suddenly it wasn't so interested in giving a straight answer or, at times, answering at all. As Venkat Balasubramani notes:

Despite litigating the case vigorously up to this point, when it came to damages, e360 seemed to muster a lot less energy. According to the court, e360 was "slow to provide information requested by Spamhaus . . . [and] missed several [d]eadlines." I'll spare readers a detailed discussion on damages, but the court's take can be summed up as follows:

The unreliability of [e360's] approaches is unmistakably demonstrated by the profound differences in claimed damages profferred at various points during these proceedings. Finally, it strains credulity that a company that made only a fraction of the profits [e360] asks for over the course of its five-year lifespan would have garnered profits in the amounts [e360] set out in [its] testimony or documentary evidence. The profit and loss statement [e360 provided] sets out the company's overall profits at $332,000. . . . .

At the time of default judgment, the damages claimed were $11,715,000. During discovery, Exhibit 5 was proffered reflecting damages of $135,173,577. At trial, proffered Exhibit 5(a) showed damages of $122,271,346. During final argument, the claimed amount was $30,000,000.

Yeah, if you've made a total of $332,000 in profits over the course of five years, perhaps don't claim $11 million in damages just because some company (most likely accurately) put you on a list of spammers.

As for that big question of whether or not the company was involved in spamming. Well, others have certainly thought so. In the past, we've noted that the company had been sued for violating CAN SPAM, and in another lawsuit e360 filed (against Comcast for filtering its spam), the judge stated pretty clearly that e360 fit the description of a spammer. On top of that, in the blog post above, Venkat points out that, just in going through this lawsuit, e360 appears to have now put on public record an awful lot of evidence that its activities fall under the definition of what most people would consider spam:

Ironically, through litigating this dispute, e360 caused to be memorialized in a court order, facts about its email practices (and the email marketing industry in general) that I'm guessing it would prefer not be in the public eye. Two facts jumped out at me from the order. First, e360 sent out 6.6 billion (!) emails through the course of its five year existence. Second, there were some familiar faces among the list of its customers: SmartBargains and Optinbig.